Use htmlspecialchars on HTML inputs to format

This commit is contained in:
Joshua Ramon Enslin 2022-02-05 02:43:35 +01:00
parent cfcae5fb2b
commit 942de26411
Signed by: jrenslin
GPG Key ID: 46016F84501B70AE

View File

@ -52,12 +52,12 @@ final class MDMailFormat {
$input = trim($input); $input = trim($input);
$this->_msg_html .= "<h1 style='" . self::CSS_H1 . "'>"; $this->_msg_html .= "<h1 style='" . htmlspecialchars(self::CSS_H1) . "'>";
if ($this->use_logo === true) { if ($this->use_logo === true) {
$this->_msg_html .= "<img style='" . self::CSS_LOGO . "' src=\"cid:mdlogo\" alt='' />"; $this->_msg_html .= "<img style='" . htmlspecialchars(self::CSS_LOGO) . "' src=\"cid:mdlogo\" alt='' />";
} }
$this->_msg_html .= "<span style='" . self::CSS_H1_SPAN . "'>" . nl2br($input) . "</span></h1>"; $this->_msg_html .= "<span style='" . htmlspecialchars(self::CSS_H1_SPAN) . "'>" . nl2br(htmlspecialchars($input)) . "</span></h1>";
$this->_msg_plain .= "{$input} $this->_msg_plain .= $input . "
=================== ===================
"; ";
@ -74,8 +74,8 @@ final class MDMailFormat {
$input = trim($input); $input = trim($input);
$this->_msg_html .= "<h2 style='" . self::CSS_H2 . "'>" . nl2br($input) . "</h2>"; $this->_msg_html .= "<h2 style='" . htmlspecialchars(self::CSS_H2) . "'>" . nl2br(htmlspecialchars($input)) . "</h2>";
$this->_msg_plain .= "{$input} $this->_msg_plain .= $input . "
------------------- -------------------
"; ";
@ -92,10 +92,8 @@ final class MDMailFormat {
$input = trim($input); $input = trim($input);
$this->_msg_html .= "<p style='" . self::CSS_P . "'>" . nl2br($input) . "</p>"; $this->_msg_html .= "<p style='" . htmlspecialchars(self::CSS_P) . "'>" . nl2br(htmlspecialchars($input)) . "</p>";
$this->_msg_plain .= " $this->_msg_plain .= PHP_EOL . $input . PHP_EOL;
{$input}
";
} }
@ -111,10 +109,8 @@ final class MDMailFormat {
$input = trim($input); $input = trim($input);
$this->_msg_html .= "<a style='" . self::CSS_A_BUTTONLIKE . "' class='buttonLike' href='" . $href . "'>" . nl2br($input) . "</a>"; $this->_msg_html .= "<a style='" . htmlspecialchars(self::CSS_A_BUTTONLIKE) . "' class='buttonLike' href='" . htmlspecialchars($href) . "'>" . nl2br(htmlspecialchars($input)) . "</a>";
$this->_msg_plain .= " $this->_msg_plain .= PHP_EOL . $input . ": " . $href . PHP_EOL;
{$input}: {$href}
";
} }
@ -130,8 +126,8 @@ final class MDMailFormat {
$input = trim($input); $input = trim($input);
$this->_msg_html .= "<a style='" . self::CSS_A_NORMAL . "' href='" . $href . "'>" . nl2br($input) . "</a>"; $this->_msg_html .= "<a style='" . htmlspecialchars(self::CSS_A_NORMAL) . "' href='" . htmlspecialchars($href) . "'>" . nl2br(htmlspecialchars($input)) . "</a>";
$this->_msg_plain .= "{$input}: {$href}"; $this->_msg_plain .= $input . ": " . $href;
} }
@ -141,7 +137,7 @@ final class MDMailFormat {
* @return void * @return void
*/ */
public function startUl():void { public function startUl():void {
$this->_msg_html .= "<ul style='" . self::CSS_UL . "'>"; $this->_msg_html .= "<ul style='" . htmlspecialchars(self::CSS_UL) . "'>";
$this->_msg_plain .= PHP_EOL; $this->_msg_plain .= PHP_EOL;
} }
@ -163,7 +159,7 @@ final class MDMailFormat {
* @return void * @return void
*/ */
public function startOl():void { public function startOl():void {
$this->_msg_html .= "<ol style='" . self::CSS_OL . "'>"; $this->_msg_html .= "<ol style='" . htmlspecialchars(self::CSS_OL) . "'>";
$this->_msg_plain .= PHP_EOL; $this->_msg_plain .= PHP_EOL;
} }
@ -190,7 +186,7 @@ final class MDMailFormat {
$input = trim($input); $input = trim($input);
$this->_msg_html .= "<li>{$input}</li>"; $this->_msg_html .= "<li>" . htmlspecialchars($input) . "</li>";
$this->_msg_plain .= PHP_EOL . "- {$input}"; $this->_msg_plain .= PHP_EOL . "- {$input}";
} }
@ -235,7 +231,7 @@ final class MDMailFormat {
* @return void * @return void
*/ */
public function appendHr():void { public function appendHr():void {
$this->_msg_html .= "<hr style='" . self::CSS_HR . "' />"; $this->_msg_html .= "<hr style='" . htmlspecialchars(self::CSS_HR) . "' />";
$this->_msg_plain .= PHP_EOL . "----------" . PHP_EOL; $this->_msg_plain .= PHP_EOL . "----------" . PHP_EOL;
} }
@ -249,7 +245,7 @@ final class MDMailFormat {
*/ */
public function appendInlineText(string $input):void { public function appendInlineText(string $input):void {
$input = trim($input); $input = trim($input);
$this->_msg_html .= $input . " "; $this->_msg_html .= htmlspecialchars($input) . " ";
$this->_msg_plain .= $input . " "; $this->_msg_plain .= $input . " ";
} }
@ -272,17 +268,17 @@ final class MDMailFormat {
<meta http-equiv=”X-UA-Compatible” content=”IE=edge” /> <meta http-equiv=”X-UA-Compatible” content=”IE=edge” />
<meta name=”viewport” content=”width=device-width, initial-scale=1.0 /> <meta name=”viewport” content=”width=device-width, initial-scale=1.0 />
<style> <style>
a.buttonLike { ' . self::CSS_A_BUTTONLIKE . ' } a.buttonLike { ' . htmlspecialchars(self::CSS_A_BUTTONLIKE) . ' }
a.buttonLike:hover { ' . self::CSS_A_BUTTONLIKE_HOVER . ' } a.buttonLike:hover { ' . htmlspecialchars(self::CSS_A_BUTTONLIKE_HOVER) . ' }
p { ' . self::CSS_P . ' } p { ' . htmlspecialchars(self::CSS_P) . ' }
ul { ' . self::CSS_UL . ' } ul { ' . htmlspecialchars(self::CSS_UL) . ' }
ol { ' . self::CSS_OL . ' } ol { ' . htmlspecialchars(self::CSS_OL) . ' }
hr { ' . self::CSS_HR . ' } hr { ' . htmlspecialchars(self::CSS_HR) . ' }
#footer { ' . self::CSS_FOOTER . ' } #footer { ' . htmlspecialchars(self::CSS_FOOTER) . ' }
#footer a { ' . self::CSS_A_FOOTER . ' } #footer a { ' . htmlspecialchars(self::CSS_A_FOOTER) . ' }
#footer a:hover { ' . self::CSS_A_FOOTER_HOVER . ' } #footer a:hover { ' . htmlspecialchars(self::CSS_A_FOOTER_HOVER) . ' }
h1 img { ' . self::CSS_LOGO . ' } h1 img { ' . htmlspecialchars(self::CSS_LOGO) . ' }
h1 span { ' . self::CSS_H1_SPAN . ' } h1 span { ' . htmlspecialchars(self::CSS_H1_SPAN) . ' }
</style> </style>
</head> </head>
<body> <body>
@ -292,8 +288,8 @@ final class MDMailFormat {
$output .= trim($this->_msg_html); $output .= trim($this->_msg_html);
$output .= ' $output .= '
<div id="footer" style="' . self::CSS_FOOTER . '"> <div id="footer" style="' . htmlspecialchars(self::CSS_FOOTER) . '">
<a style="' . self::CSS_A_FOOTER . '" href="' . MD_CONF_EMAIL::MAIL_TOOL_LINK . '">' . MD_CONF_EMAIL::MAIL_TOOL_NAME . '</a> <a style="' . htmlspecialchars(self::CSS_A_FOOTER) . '" href="' . htmlspecialchars(MD_CONF_EMAIL::MAIL_TOOL_LINK) . '">' . htmlspecialchars(MD_CONF_EMAIL::MAIL_TOOL_NAME) . '</a>
</div> </div>
</div> </div>
</div> </div>